denial for RequestName and bind on org.freedesktop.Application

Bug #1357371 reported by Jamie Strandboge on 2014-08-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webbrowser-app (Ubuntu)

Bug Description

This is bug #1342129, but for qtwebkit. This bug doesn't appear to affect the general functionality of the webapp.

Test case:
1. install r193 (or later) in the emulator
2. install Pixel Runner from the store
3. Open Pixel Runner

The app starts (but with a blank screen, see bug #1357375) and the following apparmor denial can be observed:
Aug 15 13:17:04 ubuntu-phablet dbus[1575]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="RequestName" mask="send" name="org.freedesktop.DBus" pid=3292 profile="com.ubuntu.developer.ogra.pixel-runner_pixel-runner_0.1" peer_profile="unconfined"

As it happens, we can add a rule for this that is safe:
dbus (send)

However, after adding the above rule to /var/lib/apparmor/profiles/*pixel*, running 'sudo apparmor_parser -r /var/lib/apparmor/profiles/*pixel*', and starting the app, we get a new denial:
Aug 15 13:18:47 ubuntu-phablet dbus[1575]: apparmor="DENIED" operation="dbus_bind" bus="session" name="org.freedesktop.Application" mask="bind" pid=3774 profile="com.ubuntu.developer.ogra.pixel-runner_pixel-runner_0.1"

If add add the following rule (which is not safe), there are no more denials:
dbus (bind)

This denial is the same as in bug #1342129 and we can't safely add policy for it (see other bug for reasons why).

Not sure if this is in webbrowser-app or qtwebkit, please reassign as necessary.

description: updated
Changed in webbrowser-app (Ubuntu):
importance: Undecided → Critical
Changed in webbrowser-app (Ubuntu):
importance: Critical → Undecided
description: updated
summary: - qtwebkit-based webapps no longer working
+ qtwebkit-based webapps denial for RequestName and bind on
+ org.freedesktop.Application
description: updated
description: updated
description: updated

As I understand it, this is exactly the same issue as bug #1342129, nothing specific to QtWebKit.

Olivier Tilloy (osomon) wrote :

… but QtWebKit-based webapps use an old version of the policy that doesn’t have the fix.

Those apps will need to upgrade the version of the policy in their manifest (and by doing so they will automatically switch to using Oxide as a rendering backend).

Olivier Tilloy (osomon) wrote :

For reference, this is the code that triggers the org.freedesktop.Application RequestName and bind calls:

The UriHandler object is defined by the SDK, this code is not specific to the webapp container.

Jamie Strandboge (jdstrand) wrote :

Based on that, I think I will simply deny this since this is not the method apps should be communicating with each other under confinement.

summary: - qtwebkit-based webapps denial for RequestName and bind on
- org.freedesktop.Application
+ denial for RequestName and bind on org.freedesktop.Application
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers